AI Agents Have an Identity Problem — and Attackers Already Know It

AI Agents Have an Identity Problem — and Attackers Already Know It

Every identity system your company runs — Active Directory, your IdP, your access reviews — rests on one quiet assumption: behind every account there is a human being whose status changes through HR events. Someone is hired, an account is provisioned. Someone changes roles, access is adjusted. Someone leaves, access is revoked.

AI agents break every part of that assumption. They have no employment record, no manager and no departure date. And they are appearing in companies at a pace that identity governance was never designed for — as chatbots with database access, coding agents with repository rights, automation agents wired into email, calendars and CRMs.

Why this is a security problem, not a philosophy problem

An AI agent is, from the infrastructure's point of view, a set of credentials: API keys, OAuth tokens, service accounts. Recent incidents show exactly how this goes wrong.

In July 2026, Kaspersky documented Umbrij, malware attributed to the ToddyCat espionage group, that quietly obtains OAuth tokens to read corporate Gmail through Google's own API — no password theft needed, just a token the infrastructure happily honours. Weeks earlier, Salesforce had to disable an entire third-party integration after OAuth token abuse exposed customer data. Neither attack needed to touch a human account. They lived entirely in the non-human identity layer — the layer most organizations cannot even enumerate.

Now add agents that act autonomously. An agent with a standing token is a privileged user that never sleeps, never gets an access review, and never shows up in the leaver process.

The four failure points

  • No inventory. Most organizations cannot answer "how many AI agents and service identities do we have, and what can each one reach?" Shadow AI makes this worse — employees connect agents to corporate data without any registration.
  • No ownership. When an agent misbehaves, whose problem is it? Identity lifecycle management assumes a manager; agents often have a developer who left the project two quarters ago.
  • Privilege accumulation. Agents get broad scopes because narrow ones are fiddly ("just give it full mailbox access"). Unlike humans, nobody ever asks whether the agent still needs it.
  • No offboarding. Projects end; tokens do not. Long-lived credentials for abandoned agents are the new orphaned accounts — except with API-speed access to your data.

What to do about it, in order

  • Inventory first. Enumerate service accounts, API keys, OAuth grants and agent integrations across your IdP, cloud consoles and SaaS admin panels. In Google Workspace and Microsoft 365, review third-party app grants specifically — that is where shadow agents live.
  • Assign a human owner to every non-human identity. One name, accountable for what the agent can access and for retiring it. No owner, no token.
  • Scope down and shorten. Least-privilege scopes instead of "full access", short-lived credentials instead of eternal keys, and rotation you can actually execute.
  • Monitor the non-human layer. A service identity suddenly reading a hundred mailboxes, or an agent authenticating from new infrastructure, should page someone — the Umbrij campaign was invisible precisely because nobody watches token-based access.
  • Build the leaver process for agents. When a project, vendor or experiment ends, tokens are revoked the same day. Put it in the checklist next to laptop returns.
  • Bring it into your audits. NIS 2's access-control and asset-management measures (Article 21) do not distinguish between human and non-human identities — your auditors eventually won't either. Our audit and compliance services increasingly treat non-human identity governance as a first-class control.

The uncomfortable question

Here is the test we suggest to every IT manager: pick one AI agent or integration your company uses today, and try to answer three questions. What exactly can it access? Who owns it? How would you shut it off in five minutes?

If any answer is missing, that is the gap — and attackers have already shown they know where it is. If you want a structured look at how your AI systems and their identities hold up under attack, that is exactly what our AI/LLM security assessments are for.


This article is general information based on public reporting by The Hacker News, BleepingComputer, Kaspersky and Token Security.

Back to blog